01-27-2026, 12:30 PM
Medium
resolved
resolved
SQL injection in structure plugin
Bug reported by Volkov Fedor was disclosed at January 26, 2026, 8:11 pm | SQL Injection
An SQL injection flaw was discovered in ExpressionEngine's Structure plugin. User input from the channel_ids parameter was passed directly into SQL queries without proper sanitization. The vulnerability required admin panel access.